Versions Compared

Old Version 37

changes.mady.by.user Benn Oshrin

Saved on

compared with

New Version 38

changes.mady.by.user Benn Oshrin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Attributes enabled for export, within object classes enabled for export.
  • Attributes defined by LDAP Schema Plugins and enabled for export.
  • If Unconfigured Attribute Mode is Remove, all other defined attributes within object classes enabled for export (including those defined by Schema Plugins).

...

When removing an objectclass (whether via configuration or by disabling LDAP Schema Plugins), keep in mind you may receive schema compliance errors from the LDAP server. This can happen because (eg)

  1. COmanage had previously included an attribute foo in the objectclass fooclass.
  2. When the objectclass is deconfigured, COmanage will emit a list of objectclasses that no longer includes fooclass.
  3. However, the LDAP record still contains the attribute foo. COmanage does not touch this attribute because it is not configured to do so.
  4. The LDAP server complains because the record does not contain an objectclass that defines foo.

...

 

Registry CO Person Transaction

LDAP Action

Externally Managed Attributes

Add

Add entry to LDAP (if entry already exists it will be deleted and replaced)

Deleted

Edit

Update configured attributes only

Untouched

Status Set To Grace Period

No changes (unless attributes change as part of grace period)

Untouched

Status Set To Expired or Suspended

Update entry to maintain only Person attributes for referential integrity (no Role or Group attributes)

Untouched

Status Set Back To Active

Restore Role and Group attributes, or add entry to LDAP if not present

Untouched

Delete, or Status Set To Deleted (or any other status not specified above)

Remove entry from LDAP

Deleted

Manual Provision

If entry exists: Update configured attributes only
If entry does not exist: Add entry to LDAP

(warning) Attributes are subject to CO Person and Person Role Status
(warning) To completely erase and rewrite a record, an administrator must remove the record from LDAP (manually or by setting the person status to eg Deleted) before manually provisioning

Untouched

...

  1. The objectClass must have no required attributes, since the LDAP Provisioning Plugin will write the initial record with no awareness as to the characteristics of the schema. If the objectClass has any required attributes, the record will fail to be written due to schema violation. (Supporting schemas with required attributes can be done via LDAP Schema Plugins).
  2. Be aware of the implications of the operations described above. For example, if the LDAP Provisioning Plugin decides to delete an entry from LDAP, the attributes managed by external applications in that entry will also be deleted.

Removing ObjectClasses

(warning) When removing an objectclass (whether via configuration or by disabling LDAP Schema Plugins), keep in mind you may receive schema compliance errors from the LDAP server. This can happen because (eg)

  1. COmanage had previously included an attribute foo in the objectclass fooclass.
  2. When the objectclass is deconfigured, COmanage will emit a list of objectclasses that no longer includes fooclass.
  3. However, the LDAP record still contains the attribute foo. COmanage does not touch this attribute because it is not configured to do so.
  4. The LDAP server complains because the record does not contain an objectclass that defines foo.

In this scenario, it will be necessary to manually clean up the LDAP records to remove foo before COmanage can update the record.

See Also